Create web apps with the Clover REST API

Clover web apps offer a seamless experience and enable merchants to connect services through a central hub. You can build a browser-based integration that uses our REST API along with OAuth to create a secure connection to your website. You can redirect a merchant from the Clover Merchant Dashboard to your website URL (link).

You can create an alternate integration path for scenarios where a native, on-device experience may not be appropriate. Clover developers have used our OAuth protocol for reporting, analytics, Ecommerce integrations, and more.

Before you begin

Here's how you go about building Clover REST APIs:

1. Choose your region:
   • North America—United States and Canada: Create a single developer account and access both the sandbox and production environments on the Global Developer Dashboard. See Get started with the global developer platform.
   • Europe and Latin America: Create separate developer accounts on the sandbox environment and the region-based production environments.
2. Import the sample inventory to get started with your test merchant. See Import inventory.
3. Use the appropriate OAuth flow.
4. Use the following resources for guidance on how to build your app with Clover REST API:
   • Use Clover REST API.
   • Check out our video tutorials about Clover Rest APIs
   • Use webhooks to receive and handle notifications about changes in merchant data.
   • Manage orders and learn to calculate taxes with these examples.
   • Learn about API usage & rate limits.
   • Build solutions for accepting payments with Ecommerce API.
   • Use the Payment Card Industry security guidance for app developers.

Web app development guidelines

The following web development guidelines can help you create good apps that give a great experience to Clover merchants.

1. Be aware of web security principles

Do's

Clover recommends you familiarize yourself with basic web security principles. The Open Web Application Security Project (OWASP) offers several resources that will help you get started:

• OWASP homepage
• OWASP Top Ten
• OWASP/Developer Guide
• OWASP Cheat Sheet Series

Don'ts

• Don't check app tokens into your source code online.
• Don't prompt users to enter sensitive cardholder data, such as card numbers and expiration dates, except as part of Clover payments SDK (this means that third-party Clover Apps are not payment apps as the term is defined in the PCI PA DSS).

2. Secure merchant data

The Clover REST API lets you access a database. Hence, you need to follow the security standards for database access.

• Use server-to-server requests as much as possible when your web application accesses the Clover API.
• Securely store any data that your own services cache.

3. Limit client access

Customer and employee-facing apps must prevent unauthorized users from accessing privileged data, including the Clover credentials your app uses.

• Use secure logins and session tracking if needed.
• Use server logic to prevent unauthorized access to data by injection attacks.
• Consider any data passed to the client in any format as vulnerable.

4. Ease of Clover integration

• Make it easy for merchants to log in. The URL (link) for your web app should launch the login flow, not browse to the general homepage for your business.
• Include your Web URL prior to submission and test it with an example OAuth request.